1. Field of the Invention
The present invention generally relates to computer system security and, more particularly to, authenticating users at the operating system level in multi-user computer systems. It supports system administrators in limiting the ability of unauthorized users to disrupt system operations by using a neural network and set of rules to track usage patterns and flag suspicious activity on the system.
2. Background Description
Multi-user operating systems often have holes in their built-in security measures that can allow access by unauthorized users. The UNIX operating system (OS) will be used to illustrate the state of operating system security issues; however, these problems exist in varying degrees for many state-of-the-art operating systems, today. (UNIX is a registered trademark of SCO.)
The UNIX operating system, though used extensively in all kinds of environments, was not really designed with security in mind. See "On the Security of UNIX" by Dennis M. Ritchie (reprinted in UNIX System Manager's Manual 4.3, Berkeley Software Distribution, University of California, April 1986). The need for greater security arose in the early 1980's when Universities moved their UNIX systems from laboratories to computer centers and many business and Government institutions started installing UNIX systems. Additional features such as remote login, remote command execution, file transfer, electronic mail and networking have made operating systems more complex. Moreover, massive connections of UNIX systems to the Internet have opened more possibilities of security attack on these systems.
FIG. 1 shows a block diagram of a UNIX system server 102 connected to both a Local Area Network (LAN) 103 and the Internet 104. The LAN 103 includes a plurality of client workstations 105i to 105n which access the system server 102. Additional client workstations 106i to 106n also access the system server 102 via the Internet 104. The system server 102 includes a data storage device 107, such as one or more mass storage devices, storing databases and other information which may be accessed by a workstation, either via the LAN 103 or the Internet 104.
Security is one of the biggest concerns for Open systems like UNIX systems. As the systems and tools become more secure, the hackers or persons intent on "breaking" into the systems become even more knowledgeable. If a UNIX system has connectivity outside of a "trusted" network (i.e., the LAN 103), for instance when connected to the Internet 104, various security barriers have been devised, as generally indicated at 108. Such barriers are known in the art as "firewalls". However, these security barriers can be breached.
Security problems can result in costly disruptions from normal operations and/or the loss of private or proprietary data through destruction or theft. Depending on the importance of the data, its loss or theft may pose personal, business, national or international threat. While the extent of damage could be minimized by using various measures, the optimal solution would be to prevent any intrusion or break-in or at least minimize the damage if an intrusion should occur.
The goals of computer and network security are three-fold:
Integrity of data--deals with preservation of contents against all unauthorized change. PA1 Privacy of information--relates to restricting access to objects only to authorized persons. PA1 Availability of computer resources--implies that all authorized users have access to the system for legitimate use.
Typically, a process of authentication restricts user access to a computer system. All modem computing systems that have capabilities for multiple users have a means of identifying who is using the computer at any given time. User authentication is typically implemented in the form of password protection for a system. Password protection is, however, a weak defense. Passwords that are not randomly generated, can often be easily cracked. Passwords that are randomly generated pose a different threat because they are often written down, so as not to be forgotten.
Security problems arise when someone breaks into a system using a legitimate user identification (ID) with the intent of doing illegitimate activities. In the UNIX OS, for instance, a special user (root) is used for administrative purposes. Anyone gaining access to a root account ID can bypass all security restrictions within the system. In the UNIX OS, the finger or who commands are typically used to determine who is logged on.
These commands return the account IDs (userids) of all persons presently logged on. Currently, the system administrator 101 has no way to verify that the person who is using a particular ID is in fact the owner of the ID.